At its core, the Internet Society’s collaborative security framework is approaching security as a distributed process. It is a process whereby various actors accept their responsibilities, in their respective roles, to decrease the various risks that we are exposed to when using the Internet. The open processes - where information is shared, discussed, criticized, and eventually leads to implementable improvements - are part of the genome from which the Internet is built and are at the core of the Collaborative Security idea.

The academic method is the archetype for these open processes: peer review, publication, and intellectual accountability bring constant improvement and innovation. Academic research, specifically applied security research, is an important tool to improve global Internet security. The NDSS Symposium, hosted by the Internet Society, is one of the most renowned conferences in this field.

As the NDSS website mentions, the conference brings together leaders in cyber security -- university researchers and educators, chief technology and privacy officers, security analysts and system administrators, and operations and security managers – to encourage and enable the Internet community to apply, deploy, and advance the state of available network and distributed system security technology. In order to have the greatest impact, the peer reviewed papers are freely available and reproducible (for noncommercial purposes).

Lets have a look at the program.

In addition to the main symposium, NDSS is hosting three workshops this year.

“TLSv1.3 - Ready or Not?” (TRON)

The TRON workshop intends to take a hard stab at the newest version of the Transport Layer Security (TLS) protocol. TLS is a generic building block to provide confidentiality and integrity in the Internet Protocol suite. It is used to provide end-to-end encryption and authentication for web traffic, for mail traffic, for messaging traffic, and virtually any other form of conceivable Internet communication. The newest version of TLS, version 1.3, has just been specified by the IETF. Now, it is notoriously hard to implement cryptographic primitives into protocols. We (the NDSS program committee, IETF protagonists, and my ISOC colleagues) figured it would be a good idea to create the opportunity to allow “security researchers [to] have a real, immediate, and lasting impact on the security of the deployed Internet.”

Understanding and Enhancing Online Privacy (UEOP)

In the UEOP workshop, researchers are taking a look at how to improve the privacy of existing systems by supplying solutions that are easily deployable. The workshop intends to explore applications of the current understanding of privacy sensitive technologies and phenomena to enhance online privacy. In contrast to a clean slate approach, the evolutionary approach that the workshop organizers want to focus on resonates with what I think is the best way to approach large scale Internet issues. (The organizers use the unfortunate and ambiguous terms ‘bottom-up’ and ‘top-down’ in the description of the workshop for what I read as clean-slate and evolutionary respectively).

Usable Security (USEC)

The USEC workshop explores how better security can be achieved when we - ethical, social and economically acting beings - interact with the security solutions at our disposal. The USEC workshop was hosted at NDSS last year as well, and a good overview of the various topics that are being discussed at the upcoming workshop can be gained from last year’s papers.

In addition to the TRON workshop, the first session includes a number of papers that expose vulnerabilities in the current use of TLS. A paper by Bhargavan and Leurent [explores how weak exploits in transport layer protocols can be exploited. The vulnerability they found has been disclosed as “SLOTH” which led one commenter to observe: “The big “cryptographic cracking” story so far in 2016 is SLOTH, which is not only interesting and important, but also a VUWACONA, making it eye-catching as well. VUWACONA is short for Vulnerability With A Cool Name, our new acronym for bugs like LOGJAM, FREAK and Poodle.”

In the second session Czyz et al promise a discussion about the state of the implementation of IPv6 security policies as compared to the implementation of IPv4 security policies; they find several high-value target applications with a comparatively open security policy. In addition, Malhotra et al will discuss the security of the Network Time Protocol (NTP), one of the core building block network functions that, when vulnerable, impacts the functioning of other parts of the Internet. The research represented in this paper has already resulted in updates to deployed NTP software (here and here). This is an excellent example of quality research and responsible collaborative action taken to improve Internet infrastructure.

Session 3 on Web Security includes a paper by Rafique et al that explores the security aspects of free live streaming services, maps the ecosystem and proposes a methodology to automate the identification of these services, which are often the source of pirated content and malware. The other papers also apply automated methodologies to detect misconfiguration, misbehavior, and vulnerabilities.

There are several privacy tracks at the conference, one of which deals with privacy and mobile devices. In this session a light is shone on the various privacy aspects that have to do with using the Mobile Internet. Obviously we all know that the use of these devices has an impact on what others may be able to know about us. The majority of the papers promise to expose mechanisms that can be (or are) used to create a much richer picture of individuals than what they knowingly share with consent. I suspect that the details will demonstrate that the possibilities and scale are (again) beyond my wildest dreams, or nightmares.

The conference features a whole slew of papers on system security. These papers are distributed over two sessions on system and software security (session 8 and session 12) and one on Android security. The papers in these sessions all look at the integrity of the systems that we use all the time, and which surround us. In the abstract of a paper by Formby et al on Industrial control systems I read “The distributed networks are difficult to physically secure, legacy equipment can make cryptography and regular patches virtually impossible, and compromises can result in catastrophic physical damage.” The paper introduces two fingerprinting techniques to detect intrusion. While this is important to secure the existing infrastructure it is also important to draw lessons from this, because that quote above doesn’t only apply to Industrial Control Systems that have been build a decade or two ago but also to the Internet of Things that we are rolling out now.

The papers coming out of this conference and other security conferences impact how we think about and implement security. Some serve as a wake-up call, some provide solutions, and some expose real problems.

The papers will be available from the NDSS 2016 web site shortly after the conference. We will be tracking the conference and highlighting and interpreting some of the papers that inspire us.